GCHQ's National Cyber Security Centre has warned that several SSL VPN products from vendors Pulse Secure, Fortinet and Palo Alto feature multiple security vulnerabilities that allow attackers to retrieve arbitrary files, including those that may contain authentication credentials.
In an advisory published last week, NCSC said that these vulnerable SSL VPN products are used by government departments, military institutions, as well as academic, business and healthcare organisations, thereby indicating that malicious hackers could impact a large number of organisations by exploiting vulnerabilities in VPN products.
It warned that if an attacker is able to retrieve an arbitrary file containing authentication credentials from a VPN, the attacker can use the stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure. The attacker can also use stolen credentials to gain privileges necessary to run secondary exploits aimed at accessing a root shell.
"Users of these VPN products should investigate their logs for evidence of compromise, especially if it is possible that patches were not applied immediately after their release," said NCSC, adding that administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times.
"System administrators who suspect that exploitation may have occurred or cannot rule out this possibility should revoke credentials that were at risk of theft. This may include both administrative and user credentials. Resetting authentication credentials will defend against unauthorised access using credentials acquired prior to patching affected systems," it added.
While an attacker can download sslvpn_websession, which contains the usernames and passwords of active users from Fortigate's VPN products by exploiting CVE-2018-13379, Palo Alto's GlobalProtect SSL VPN 7.1.x < 7.1.19, GlobalProtect SSL VPN 8.0.x < 8.0.12, and GlobalProtect SSL VPN 8.1.x < 8.1.3 VPN versions are also vulnerable to exploits.
Security patches for existing vulnerabilities already rolled out by VPN vendors
Users of these VPN products can prevent attackers from exploiting known vulnerabilities by applying the latest security patches released by their respective vendors and by resetting authentication credentials associated with affected VPNs and accounts connecting through them.
Following are the vulnerabilities in various VPN products offered by Palo Alto, Fortinet, and Pulse Secure that have been highlighted by NCSC. All three vendors have released security patches to remove respective security vulnerabilities.
Pulse Connect Secure:
CVE-2019-11510: Pre-auth arbitrary file reading
CVE-2019-11539: Post-auth command injection
CVE-2018-13379: Pre-auth arbitrary file reading
CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.
CVE-2019-1579: Palo Alto Networks GlobalProtect Portal
Recently, the National Security Agency (NSA) also released an advisory, warning organisations about the presence of several security vulnerabilities in Virtual Private Network (VPN) applications that, if exploited, could allow an attacker to take control over respective VPN products. Details of the same can be found here.
Users of VPN products must reset access credentials & access tokens for cloud services
"Given the nature of the vulnerabilities, it’s entirely possible that a successful exploit has occurred with at least one user of an impacted system. Proper patching in this context requires both a reset of any access credentials and potentially a reset of any access tokens used by users for cloud services," says Tim Mackey, Principal Security Strategist at Synopsys CyRC.
"The credential reset must occur after the patch has been applied as any reset prior to the patch could enable the attackers to collect the updated credentials. It’s also worth noting that the researchers were able to demonstrate a bypass of a 2FA solution meaning that organisations who are delaying rollout of patches believing that their MFA solution mitigates the attack vector may be at greater risk. The last part of the remediation is to perform a forensic analysis to ensure that no infection occurred and that systems are configured as expected.
"For the technical folks out there, this situation was created in part due to VPN vendors creating proprietary implementations of secure communication protocols. Unlike implementations from open source solutions, proprietary implementations of security solutions often lack the level of scrutiny afforded to implementations performed by open source communities.
"Additionally, the VPN solutions involved allow for proprietary extensions to be written in languages like C/C++, Perl or Python. These extensions all require additional care when validating and executing an extension.
"To best address the types of problems covered in this advisory, VPN vendors should implement a security regimen encompassing protocol fuzzing and threat models. VPN customers expect their VPN to provide a highly secure connection from a public network, and public networks are notoriously unreliable making any instability within the VPN an opportunity for attack," he adds.
ALSO READ: It’s time to kill the VPN